<%
=begin
apps: cert-manager
platforms: kubernetes, tanzu-application-catalog
id: secure_ingress_resources
title: Secure Ingress resources with Cert Manager
category: configuration
weight: 40
highlight: 40
=end %>

Once you configure an Issuer for Cert Manager (either [a Self-Signed Issuer](../../configuration/generate-self-signed-certificates) or [an ACME Issuer](../../configuration/generate-acme-certificates)), Cert Manager will make use of this Issuer to create a TLS secret containing the certificates. Cert Manager can only create this secret if the application is already exposed. One way to do this is with an Ingress Resource which exposes the application and includes the corresponding annotations for Cert Manager.

There are two options to expose your application through an Ingress Controller using Cert Manager to manage the TLS certificates:

* Deploy another Helm chart which supports exposing the application through an Ingress controller. For instance, use the [<%= variable :catalog_name, :platform %> Helm Chart for WordPress](https://github.com/bitnami/charts/tree/master/bitnami/wordpress) and [configure Ingress for WordPress](/<%= platform_path %>/apps/wordpress/configuration/configure-ingress/). To enable the integration with CertManager, add the annotations below to the *ingress.annotations* parameter:

   ~~~
   # Set up your ingress.class below (in this example, we are using nginx ingress controller)
   kubernetes.io/ingress.class: nginx
   cert-manager.io/cluster-issuer: letsencrypt-prod
   ~~~

* Create your own Ingress resource as shown in the example below:

   ~~~
   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: ingress-test
     annotations:
       # Set up your ingress.class below (in this example, we are using nginx ingress controller)
       kubernetes.io/ingress.class: "nginx"
       cert-manager.io/issuer: "letsencrypt-prod"
   spec:
     tls:
     # Replace the DOMAIN placeholder with the correct domain name
     - hosts:
       - DOMAIN
       secretName: letsencrypt-ca
     rules:
     # Replace the DOMAIN placeholder with the correct domain name
     - host: DOMAIN
       http:
         paths:
         - path: /
           pathType: Exact
           backend:
             service:
               name: ingress-test
               port:
                 number: 80
   ~~~
